Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-12120
Publication date:
14/05/2018
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in a root shell. An attacker can inject OS commands into the ip= parm in the "/goform/net_WebPingGetValue" URI to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2022

CVE-2017-12121
Publication date:
14/05/2018
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2022

CVE-2017-12123
Publication date:
14/05/2018
An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to login as admin.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2017-12124
Publication date:
14/05/2018
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2017-12125
Publication date:
14/05/2018
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2017-12126
Publication date:
14/05/2018
An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2017-12127
Publication date:
14/05/2018
A password storage vulnerability exists in the operating system functionality of Moxa EDR-810 V4.1 build 17030317. An attacker with shell access could extract passwords in clear text from the device.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2017-12128
Publication date:
14/05/2018
An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted TCP packet can cause information disclosure. An attacker can send a crafted TCP packet to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2017-12129
Publication date:
14/05/2018
An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2018-8843
Publication date:
14/05/2018
Rockwell Automation Arena versions 15.10.00 and prior contains a use after free vulnerability caused by processing specially crafted Arena Simulation Software files that may cause the software application to crash, potentially losing any unsaved data..
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-10991
Publication date:
14/05/2018
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-10990. Reason: This candidate is a reservation duplicate of CVE-2018-10990. Notes: All CVE users should reference CVE-2018-10990 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-10252
Publication date:
14/05/2018
An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a devices. The admin login session cookie is insecurely generated making admin session hijacking possible. When an admin logs in, a session cookie is generated using the time of day rounded to 10ms. Since the web server returns its current time of day in responses, it is possible to step backward through possible session values until a working one is found. Once a working session ID is found, an attacker then has admin control of the device and can add a secondary SSID to create a backdoor to the network.
Severity CVSS v4.0: Pending analysis
Last modification:
20/06/2018
Subscribe to Vulnerabilities